b" Pen\n   nsion Benefit\n         B       Guaran\n                      nty Corrporatio\n                                    on\n      Office\n           e of Ins\n                  specto\n                       or Gen\n                            neral\n                Aud\n                  dit Repo\n                         ort\n\n\n\n\n  Report on Internall Contro\n                           ols Relatted to th\n                                            he\nPension Bennefit Gua\n                   aranty Corporat\n                           C        tion\xe2\x80\x99s Fis\n                                             scal\nYear 2011\n     2    and 2010 Financia\n                   F        al Statem\n                                    ments Audit\n                                            A\n\n\n\n\n              Novem\n                  mber 14, 2011\n                                      AUD 2012\n                                             2-2/FA-11-82--2\n\x0c\x0c                 Report on Internal Controls Related to the\n                  Pension Benefit Guaranty Corporation\xe2\x80\x99s\n              Fiscal Year 2011 and 2010 Financial Statements\n\n\n                   Audit Report AUD-2012-2 / FA-11-82-2\n\n\n                                  Contents\n\n\nSection I:     Independent Auditor\xe2\x80\x99s Report\n\nSection II:    Management Comments\n\x0c              Report on Internal Controls Related to the\n               Pension Benefit Guaranty Corporation\xe2\x80\x99s\n           Fiscal Year 2011 and 2010 Financial Statements\n\n\n                Audit Report AUD-2012-2 / FA-11-82-2\n\n\n                              Acronyms\n\nA&A         Assessment and Authorization\nBAPD        Benefits and Payment Department\nCAP         Corrective Action Plan\nCFS         Consolidated Financial System\nCMS         Case Management System\nCOOP        Continuity of Operations Program\nDoPT        Date of Plan Termination\nEDM         Enterprise Data Model\nFIPS PUB    Federal Information Processing Standards Publication\nFY          Fiscal Year\nIAH         Information Assurance Handbook\nIPERA       Improper Payments Elimination and Recovery Act\nIPVFB       Integrated Present Value of Future Benefits\nISA         Interconnection Security Agreement\nIT          Information Technology\nMOU         Memorandum of Understanding\nNIST        National Institute of Standards and Technology\nOFFM        OMB Office of Federal Financial Management\nOIG         Office of Inspector General\nOIT         Office of Information Technology\nOMB         Office of Management and Budget\nPAM         Portfolio Accounting and Management\nPAS         Premium Accounting System\nPBGC        Pension Benefit Guaranty Corporation\nPII         Personally Identifiable Information\nPLUS        Pension Lump Sum System\nPRISM       Participant Records Information Systems Management\nRTM         Requirements Traceability Matrix\nSOC         Security Operations Center\nSP          Special Publication\nTAS         Trust Accounting System\n\x0c   Report on Internal Controls Related to the\n    Pension Benefit Guaranty Corporation\xe2\x80\x99s\nFiscal Year 2011 and 2010 Financial Statements\n\n\n    Audit Report AUD-2012-2 / FA-11-82-2\n\n\n\n\n                 Section I\n\n     Independent Auditor\xe2\x80\x99s Report\n\x0ca1\n                                    Pension Benefit Guaranty Corporation\n\n\nTo the Board of Directors, Management,\nand Inspector General of the\nPension Benefit Guaranty Corporation\nWashington, DC\n\n\nWe have audited the financial statements of the Pension Benefit Guaranty Corporation (PBGC\nor the Corporation) as of and for the year ended September 30, 2011, and have examined\nmanagement\xe2\x80\x99s assertion included in PBGC\xe2\x80\x99s Annual Report about the effectiveness of the\ninternal control over financial reporting (including safeguarding assets) and PBGC's compliance\nwith certain provisions of laws, regulations, and other matters, and have issued our combined\nreport thereon dated November 14, 2011 (see Office of Inspector General (OIG) report AUD-\n2012-1/FA-11-82-1).\n\nWe conducted our audit and examination in accordance with auditing standards generally\naccepted in the United States of America; Government Auditing Standards, issued by the\nComptroller General of the United States; attestation standards established by the American\nInstitute of Certified Public Accountants; and Office of Management and Budget (OMB) audit\nguidance.\n\nThe purpose of this report is to provide more detailed discussions of the specifics underlying the\nmaterial weaknesses reported in the internal control section of our combined report on PBGC\xe2\x80\x99s\nfiscal year (FY) 2011 financial statements. As reported in our combined report on PBGC\xe2\x80\x99s\nFY 2011 financial statements, we identified certain deficiencies in internal control that we\nconsider material weaknesses, and other deficiencies that we consider to be a significant\ndeficiency.\n\nSummary\n\nPBGC protects the pensions of approximately 44 million workers and retirees in more than\n27 thousand private defined benefit pension plans. Under Title IV of the Employee Retirement\nIncome Security Act of 1974, PBGC insures, subject to statutory limits, pension benefits of\nparticipants in covered private defined benefit pension plans in the United States. To\naccomplish its mission and prepare its financial statements, PBGC relies extensively on\ninformation technology (IT) and the effective operation of the Benefits Administration and\nPayment Department (BAPD). Internal controls over these operations are essential to ensure\nthe confidentiality, integrity, and availability of critical data while reducing the risk of errors,\nfraud, and other illegal acts.\n\n\n\n\n11710 Beltsville Drive, Suite 300\nCalverton, MD 20705-3106\ntel: 301-931-2050\nfax: 301-931-1710\nwww.cliftoncpa.com\n                                                     1\n                                                                                     h\n\x0cThe slow progress of mitigating PBGC\xe2\x80\x99s systemic security control weaknesses and the serious\ninternal control weaknesses in BAPD posed an increasing and substantial risk to PBGC\xe2\x80\x99s ability\nto carry out its mission during FY 2011. The extended time required and the lack of meaningful\nprogress in PBGC\xe2\x80\x99s multi-year approach to correct previously reported deficiencies at the root\ncause level, introduced additional risks. These include technological obsolescence, inability to\nexecute corrective actions, breakdown in communications and poor monitoring. BAPD\xe2\x80\x99s weak\ninternal controls create an environment that could lead to fraud, waste, and abuse.\n\nPBGC\xe2\x80\x99s historical decentralized approach to system development and configuration\nmanagement exacerbated control weaknesses and encouraged inconsistency in implementing\nstrong technical controls and best practices. The influx of 620 plans for over 800,000\nparticipants from 2002-2005, contributed to PBGC\xe2\x80\x99s disjointed IT development and\nimplementation strategy. The mandate to meet PBGC\xe2\x80\x99s mission objectives by implementing\ntechnologies to receive the influx of plans superseded proper enterprise planning and IT\nsecurity controls. The result was a series of stovepipe solutions built upon unplanned and poorly\nintegrated heterogeneous technologies with varying levels of obsolescence.\n\nThe Corporation continued its implementation of an enterprise multi-year corrective action plan\n(CAP) to address IT security issues at the root cause level. PBGC management realizes these\nweaknesses will continue to pose a threat to its environment for several years while corrective\nactions are being implemented. PBGC needs to implement interim corrective actions to ensure\nfundamental security weaknesses do not worsen as the CAP is being implemented.\n\nPBGC performed a more rigorous and thorough assessment and authorization (A&A) process,\nformerly referred to as a certification and accreditation process. This process identified\nsignificant fundamental security control weaknesses for its general support systems many of\nwhich were reported in prior year\xe2\x80\x99s audits. These weaknesses remain unresolved. PBGC\nreports that the Corporation is in the process of performing A&As on its major applications.\n\nWe continued to find deficiencies in the areas of security management, access controls,\nconfiguration management, and segregation of duties. Control deficiencies were also found in\npolicy administration and the A&As.\n\nAn effective entity-wide security management program requires a coherent strategy for the\narchitecture of the IT infrastructure, and the deployment of systems. The implementation of a\ncoherent strategy provides the basis and foundation for the consistent application of policy,\ncontrols, and best practices. PBGC first needs to develop and implement a framework to\nimprove its security posture. This framework will require time for effective control processes to\nmature.\n\nAdditionally, serious internal control weaknesses in BAPD\xe2\x80\x99s operations were identified by the\nOffice of the Inspector General (OIG) and others during FY 2011. These significant control\nweaknesses introduced additional risks to PBGC. Specific deficiencies included errors in\nvaluation of plan assets, lack of documentation supporting benefit payments, errors in benefit\ncalculations, and poor oversight of the Pension and Lump Sum System (PLUS). In response to\nweaknesses identified by OIG, BAPD is currently undergoing a strategic review that may\naddress organizational structure and operational issues. BAPD stated it will develop a plan in\nFY 2012 that will address the deficiencies noted in the financial statement audit, Improper\nPayments Elimination and Recovery Act (IPERA) mandated review, and other internal reviews.\nThis plan is intended to focus on fundamental issues such as internal controls, processes,\ncontractor oversight, and training and staff competencies.\n\n                                               2\n\x0cBased on our findings, we are reporting that the deficiencies in the following areas constitute\nthree material weaknesses for FY 2011:\n\n   1. Entity-wide Security Program Planning and Management\n   2. Access Controls and Configuration Management\n   3. Benefits Administration and Payment Department Operations\n\nWe are also reporting the deficiencies in the following area to be a significant deficiency for FY\n2011:\n\n   4. Integrated Financial Management Systems\n\nDetailed findings and recommendations follow.\n\n1. Entity-wide Security Program Planning and Management\n\n   An entity-wide information security management program is the foundation of a security\n   control structure and a reflection of senior management\xe2\x80\x99s commitment to addressing\n   security risks. The security management program should establish a framework and\n   continuous cycle of activity for assessing risk, developing and implementing effective\n   security procedures, and monitoring the effectiveness of these procedures. Overall policies\n   and plans are developed at the entity-wide level. System and application-specific\n   procedures and controls implement the entity-wide policy. Through the Federal Information\n   Security Management Act of 2002, Congress requires each Federal agency to establish an\n   agency-wide information security program to provide security to the information and\n   information systems that support the operations and assets of the agency, including those\n   managed by a contractor or other agency. OMB Circular No. A-130, Appendix III, Security of\n   Federal Automated Information Resources, requires agencies to implement and maintain a\n   program to assure that adequate security is provided for all agency information collected,\n   processed, transmitted, stored, or disseminated in general support systems and major\n   applications.\n\n   PBGC continued the implementation of its CAP to address fundamental weaknesses in its\n   entity-wide security program planning and management. During FY 2011, PBGC began the\n   implementation of a more rigorous and thorough A&A process. Through this process, PBGC\n   identified significant fundamental security control weaknesses for its general support\n   systems, many of which were reported on in prior years\xe2\x80\x99 audits. While this is an important\n   step in the planning process, these security control weaknesses remain unresolved and\n   PBGC\xe2\x80\x99s efforts lack sufficient meaningful incremental progress. PBGC reports that they are\n   in the process of performing A&As on its major applications. The slow rate of progress has\n   introduced additional risks including technological obsolescence, inability to execute\n   corrective actions, breakdown in communications and poor monitoring.\n\n   In prior years, PBGC\xe2\x80\x99s entity-wide security program lacked focus and a coordinated effort to\n   adequately resolve control deficiencies. These deficiencies, which persisted throughout FY\n   2011, prevented PBGC from implementing effective security controls to protect its\n   information from unauthorized access, modification, and disclosure. Without a well-designed\n   and fully implemented information security management program, there is increased risk\n   that security controls are inadequate; responsibilities are unclear, misunderstood, and\n   improperly implemented; and controls are inconsistently applied. Such conditions may lead\n\n\n                                                3\n\x0cto insufficient protection of sensitive or critical resources and disproportionately high\nexpenditures for controls over low-risk resources.\n\nThe specific weaknesses we found that contributed to the material weakness and our\nrecommendations to correct them are as follows:\n\n\xe2\x80\xa2   PBGC had not completed A&As for any major applications.\n\n\xe2\x80\xa2   PBGC had not completed A&As for the general support systems hosted by third party\n    processors on behalf of PBGC.\n\n\xe2\x80\xa2   National Institute of Standards and Technology (NIST) special publication (SP) 800-53,\n    Recommended Security Controls for Federal Information Systems, identifies 172\n    controls within 17 security control families. PBGC identified 130 of these controls as their\n    common security controls. While PBGC has stated they anticipate completion of the\n    CAP in early 2015, as of the end of FY 2011, they have not documented the details of\n    the specific actions needed to complete and confirm the design, implementation, and\n    operating effectiveness of these identified common security controls,\n\n\xe2\x80\xa2   Weaknesses in PBGC\xe2\x80\x99s infrastructure design and deployment strategy for systems and\n    applications adversely affected its ability to effectively implement common security\n    controls across its systems and applications. Without full development and\n    implementation, security controls are inadequate; responsibilities are unclear,\n    misunderstood, and improperly implemented; and controls are inconsistently applied.\n    Such conditions lead to insufficient protection of sensitive or critical resources or\n    disproportionately high expenditures for controls. Consequently, as PBGC had not\n    completed and confirmed the design, implementation, and operating effectiveness of its\n    common security controls, management cannot have confidence that the controls were\n    implemented.\n\n    Recommendations:\n\n    o   Effectively communicate to key decision makers the state of PBGC\xe2\x80\x99s IT infrastructure\n        and environment to facilitate the prioritization of resources to address fundamental\n        weaknesses. (OIG Control # FS-09-01)\n\n    o   Document and execute the details of the specific actions needed to complete and\n        confirm the design, implementation, and operating effectiveness of all 130 identified\n        common security controls. (OIG Control # FS-08-01 *Modified)1\n\n    o   Develop a process to review and validate reported progress on the implementation of\n        the common security controls. Implement a strategy to test and document the\n        effectiveness of each new control implemented. (OIG Control # FS-09-02)\n\n    o   Develop and implement a well-designed security management program that will\n        provide security to the information and information systems that support the\n        operations and assets of the Corporation, including those managed by contractors or\n        other Federal agencies. (OIG Control # FS-09-03)\n\n\n\n\n                                             4\n\x0c    o   Complete the development and implementation of the redesign of PBGC\xe2\x80\x99s IT\n        infrastructure, and the procurement and implementation of technologies to support a\n        more coherent approach to providing information services and information system\n        management controls. (OIG Control # FS-09-04)\n\n    o   Implement an effective review process to validate the completion of the A&A\n        packages for all major applications. The review should not be performed by an\n        individual associated with the performance of the A&A, or by someone who could\n        influence the results. This review should be completed for all components of the work\n        performed to ensure substantial documentation is available that supports and\n        validates the results obtained. (OIG Control # FS-08-02 *Modified)\n\n    o   Ensure that adequate documentation is maintained which supports, substantiates,\n        and validates all results and conclusions reached in the A&A process for all major\n        applications. (OIG Control # FS-09-05 *Modified)\n\n    o   Establish and implement comprehensive procedures and document the roles and\n        responsibilities that ensure oversight and accountability in the A&A review process\n        for major applications. Retain evidence of oversight reviews and take action to\n        address erroneous or unsupported reports of progress. (OIG Control # FS-09-06\n        *Modified)\n\n    o   Maintain an accurate and authoritative inventory list of major applications and\n        general support systems. Ensure the list is disseminated to responsible staff and\n        used consistently throughout PBGC Office of IT (OIT) operations. (OIG Control #\n        FS-09-07)\n\n    o   Implement an independent and effective review process to validate the completion of\n        the A&A packages for all major applications. (OIG Control # FS-08-03 *Modified)\n\n    o   Implement an independent and effective review process to validate the completion of\n        the A&A packages for general support systems hosted on behalf of PBGC by third\n        party processors. The effective review should include examining host and general\n        controls risk assessments. (OIG Control # FS-08-03 *Modified)\n\n\xe2\x80\xa2   Information security policies and procedures were not fully disseminated and\n    implemented. PBGC is not able to effectively enforce compliance for security awareness\n    training. PBGC currently has a cumbersome and error-prone manual process to account\n    for personnel who have completed security awareness training. The process is\n    ineffective and limits PBGC\xe2\x80\x99s ability to ensure that all required personnel have\n    completed security awareness training.\n\n    Lack of security awareness can lead to increased risk of security breaches and exposure\n    to fraud. Controls may not be placed in operation as mandated by PBGC policies.\n\n    Recommendation:\n\n    o   Continue to disseminate the awareness of PBGC\xe2\x80\x99s security policies and procedures\n        through adequate training. (OIG Control # FS-07-04 *Modified)\n\n\n\n                                            5\n\x0c   \xe2\x80\xa2   In FY 2010, PBGC\xe2\x80\x99s benefit payments service provider (service provider) implemented a\n       security operations center (SOC) outside of the United States (US), without providing\n       PBGC adequate advance notice. In FY 2011, PBGC completed a risk assessment but\n       did not contain adequate evidence to verify and validate the technical security risks of\n       the SOC. Because the SOC has some responsibility for monitoring security-related\n       events associated with the PLUS application and components of its system boundary, it\n       is important PBGC assess risks to its systems and implement mitigating controls to\n       ensure compliance with PBGC\xe2\x80\x99s policies and procedures.\n\n       Recommendations:\n\n       o   Develop and implement an immediate plan of action to address the potential security\n           risk posed by locating the SOC outside of the US. (OIG Control # FS-10-01)\n\n       o   Review PBGC contracts to ensure contractors are required to comply with PBGC\n           information security standards and the Federal Information Security Management Act\n           (FISMA). (OIG Control #FS-10-02)\n\n       o   Ensure that adequate controls in the design and implementation of the SOC are in\n           place to protect PBGC PLUS. (OIG Control Number # FS-11-01)\n\n   \xe2\x80\xa2   PBGC has not executed interconnection security agreements (ISA) or memorandums of\n       understanding (MOU) between all external organizations whose systems interconnect\n       with PBGC\xe2\x80\x99s systems. Controls to require such agreements do not exist.\n\n       PBGC is in the process of planning and documenting security agreements for\n       interconnection with all external organizations\xe2\x80\x99 systems. In the absence of an ISA and\n       MOU, either party (PBGC or external system owner) may be unfamiliar with the technical\n       requirements of the interconnection and the details that may be required to provide\n       overall security for systems that are interconnected.\n\n       Recommendation:\n\n       o   Develop controls and implement an ISA and MOU with all external organizations\n           whose systems connect to PBGC\xe2\x80\x99s systems. (OIG Control # FS-10-03 *Modified)\n\n2. Access Controls and Configuration Management\n\n   Although access controls and configuration management controls are an integral part of an\n   effective information security management program, access controls remain a systemic\n   problem throughout PBGC. PBGC\xe2\x80\x99s decentralized approach to system development, system\n   deployments, and configuration management created an environment that lacks a cohesive\n   structure in which to implement controls and best practices. Weaknesses in the IT\n   environment contributed significantly to deficiencies in system configuration, segregation of\n   duties, role-based access controls, and monitoring. Furthermore, PBGC\xe2\x80\x99s information\n   systems are overlapping and duplicative, employing obsolete and antiquated technologies\n   that are costly to maintain. The state of PBGC\xe2\x80\x99s IT environment led to increased IT staffing\n   needs, manual workarounds, reconciliations, extensive manipulation, and excessive manual\n   processing that have been ineffective in providing adequate compensating controls to\n   mitigate system control weaknesses.\n\n\n                                              6\n\x0cAccess controls should be in place to consistently limit, detect inappropriate access to\ncomputer resources (data, equipment, and facilities), and monitor access to computer\nprograms, data, equipment, and facilities. These controls protect against unauthorized\nmodification, disclosure, loss, or impairment. Such controls include both logical and physical\nsecurity controls to ensure that Federal employees and contractors will be given only the\naccess privileges necessary to perform business functions. Federal Information Processing\nStandards Publication (FIPS PUB) 200, Minimum Security Requirements for Federal\nInformation and Information Systems, specifies minimum access controls for Federal\nsystems. FIPS PUB 200 requires PBGC\xe2\x80\x99s information system owners to limit information\nsystem access to authorized users.\n\nIndustry best practices, NIST SP 800-64, Security Considerations in the System\nDevelopment Life Cycle, and other Federal guidance recognize the importance of\nconfiguration management when developing and maintaining a system or network. Through\nconfiguration management, the composition of a system is formally defined and tracked to\nensure that an unauthorized change is not introduced. Changes to an information system\ncan have a significant impact on the security of the system. Documenting information\nsystem changes and assessing the potential impact on the security of the system, on an\nongoing basis, is an essential aspect of maintaining the security posture. An effective entity-\nwide configuration management and control policy and associated procedures are essential\nto ensuring adequate consideration of the potential security impact of specific changes to an\ninformation system. Configuration management and control procedures are critical to\nestablishing an initial baseline of hardware, software, and firmware components for the\nentity and subsequently controlling and maintaining an accurate inventory of any changes to\nthe system.\n\nInappropriate access and configuration management controls do not provide PBGC with\nsufficient assurance that financial information and financial assets are adequately\nsafeguarded from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or\ndestruction.\n\nThe specific weaknesses we identified in prior years that contributed to the material\nweakness identified in FY 2011 and our recommendations to correct them are as follows:\n\n\xe2\x80\xa2   PBGC\xe2\x80\x99s configuration management controls are labor intensive and ineffective.\n    Weaknesses in the design of PBGC\xe2\x80\x99s infrastructure and deployment strategy for\n    systems and applications created an environment where strong technical controls and\n    best practices cannot be effectively implemented. Configuration management controls\n    are therefore not consistently implemented across PBGC\xe2\x80\x99s general support systems.\n    PBGC\xe2\x80\x99s three IT environments (development, test, and production) do not share\n    common server configurations; therefore, management cannot rely on results obtained\n    in the development or test environments prior to deployment in production. Overall, the\n    PBGC environment suffers from inadequate configuration, roles, privileges, logging,\n    monitoring, file permissions, and operating system access.\n\n    PBGC\xe2\x80\x99s infrastructure does not adequately segregate the production, development and\n    testing environments. The current environment does not provide adequate controls in\n    which to implement an effective application development and change control program.\n\n\n\n\n                                            7\n\x0cSignificant weaknesses in configuration management noted in prior years and continuing\nthroughout FY 2011, included the following:\n\n\xe2\x88\x92   Sensitive program scripts and utilities, open directories, and unsafe service accounts\n    were not restricted.\n\xe2\x88\x92   Unnecessary network services and duplicate groups with privileged system access\n    were not removed.\n\xe2\x88\x92   Baseline security reports were not being created and reviewed.\n\xe2\x88\x92   Ownership of critical files, directories, and permissions were inappropriately\n    configured.\n\xe2\x88\x92   The root account could be logged into from multiple virtual consoles.\n\xe2\x88\x92   The database replication from headquarters to the COOP installation is lacking in\n    functionality and completeness, and would require a significant amount of subject\n    matter expert manual intervention to failback to headquarters in the event of an\n    actual system failure.\n\xe2\x88\x92   Developers had access to sensitive information in production.\n\xe2\x88\x92   The IT system life cycle methodology is not consistently implemented across all\n    projects within PBGC. We reviewed the Product Quality Assurance audit summary of\n    the HP Service Manager 7 software implementation and noted that various critical\n    components were lacking such as:\n    o Weaknesses noted in the approval, configuration management and change\n        control processes.\n    o Failure to obtain approval signatures on key documents and test artifacts.\n    o Incomplete Requirements Traceability Matrix (RTM).\n    o Failure to update the RTM resulting in lack of traceability between the\n        requirements and the test cases.\n    o Lack of evidence that key test activities were conducted in the test environment\n        as planned.\n\xe2\x88\x92   Backout plans for reversing system changes, in case of an unexpected situation, are\n    not consistently documented.\n\nControls are not in place to ensure adequate consideration of the potential security\nimpacts due to specific changes to an information system or its surrounding\nenvironment. PBGC is exposed to increased risk of data modification or deletion.\nUnauthorized changes could occur undetected. Applications and critical business\nprocesses may not be restored in a timely manner in the event of a disaster.\n\nRecommendations:\n\no   Develop and implement procedures and processes for the consistent implementation\n    of common configuration management controls to minimize security weaknesses in\n    general support systems. (OIG Control # FS-07-07)\n\no   Develop and implement a coherent strategy for correcting IT infrastructure\n    deficiencies and a framework for implementing common security controls, and\n    mitigating the systemic issues related to access control by strengthening system\n    configurations and user account management for all of PBGC\xe2\x80\x99s information systems.\n    (OIG Control # FS-09-12)\n\n\n\n\n                                        8\n\x0c    o   Establish baseline configuration standards for all of PBGC\xe2\x80\x99s systems. (OIG Control\n        # FS-09-13)\n\n    o   Review configuration settings and document any discrepancies from the PBGC\n        configuration baseline. Develop and implement corrective actions for systems that do\n        not meet PBGC\xe2\x80\x99s configuration standards. (OIG Control # FS-09-14)\n\n    o   Ensure test, development and production databases are appropriately segregated to\n        protect sensitive information and fully utilized to increase system performance.\n        (OIG Control # FS-09-15)\n\n    o   Establish interim procedures to implement available compensating controls (such as\n        establishing a test team to verify developer changes in production) until a\n        comprehensive solution to adequately segregate test, development and production\n        databases can be implemented. (OIG Control # FS-09-16)\n\n\xe2\x80\xa2   PBGC\xe2\x80\x99s policies and practices have not effectively restricted the addition of unnecessary\n    and generic accounts to systems in production. Consequently, the number of\n    unnecessary and generic accounts grew over the years. PBGC management has not\n    determined if the removal of all legacy generic accounts would disrupt production\n    activities. PBGC has taken action to review generic accounts on the general support\n    system, removing those that are unnecessary and approving those that are necessary,\n    however, more work is needed to ensure that all unnecessary and generic accounts are\n    removed. Management stated that the process for recertifying accounts will include\n    generic accounts, service accounts, user accounts and system accounts.\n\n    Failure to identify and remove unnecessary accounts from the system could result in\n    PBGC\xe2\x80\x99s systems being at an increased risk for unauthorized access, modification, or\n    deletion of sensitive system and/or participant information.\n\n    Recommendation:\n\n    o   Continue to remove unnecessary user and/or generic accounts. (OIG Control # FS-\n        07-08)\n\n\xe2\x80\xa2   Controls are not consistently implemented to appropriately segregate duties and grant\n    rights and privileges commensurate with the job functions and responsibilities. PBGC\n    does not have a coherent strategy for enforcing segregation of duties through strong\n    technical controls in its applications and general support systems. Password\n    management controls are not consistently implemented and are not standardized.\n    PBGC\xe2\x80\x99s historical decentralized approach to system development and configuration\n    management has exacerbated inconsistency and control weaknesses in implementing\n    strong technical controls to enforce segregation of incompatible duties.\n\n    Incompatible duties and improper password management increase the potential risk of\n    fraud, errors and ommissions.\n\n\n\n\n                                            9\n\x0c    Recommendations:\n\n    o   Consistently implement controls to appropriately segregate duties and grant rights\n        and privileges commensurate with the job functions and responsibilities.\n        (OIG Control # FS-07-09)\n\n    o   Assess the risk associated with the lack of segregation of duties, password\n        management, and overall inadequate system configuration. Discuss risk with system\n        owners and implement compensating controls wherever possible. If compensating\n        controls cannot be implemented the system owner should sign-off indicating risk\n        acceptance. (OIG Control # FS-09-17 *Modified)\n\n\xe2\x80\xa2   Some developers have access to the production environment, which exposes PBGC to\n    the risk of unauthorized modification of the application, the circumvention of critical\n    controls, and unnecessary access to sensitive data. Weaknesses in the design of\n    PBGC\xe2\x80\x99s infrastructure and deployment strategy for legacy systems and applications\n    created an environment where developers have unrestricted access to production.\n    PBGC has not developed and implemented adequate compensating controls to restrict\n    developer\xe2\x80\x99s access to production. PBGC has not fully resolved infrastructure design\n    issues, nor have they developed and implemented a coherent program to manage and\n    maintain legacy applications.\n\n    Failure to appropriately restrict privileged access to the production environment could\n    result in unauthorized access/modification/deletion of sensitive system and/or participant\n    information and the release of harmful code into the production environment.\n\n    Recommendations:\n\n    o   Appropriately restrict developers\xe2\x80\x99 access to production environment to only\n        temporary emergency access. (OIG Control # FS-07-10)\n\n    o   Assess developers\xe2\x80\x99 access to production on all PBGC systems and determine if\n        access is required based on the security principles \xe2\x80\x9cneed to know and least\n        privilege\xe2\x80\x9d. If developers require access to a specific application, the reason should be\n        documented and management should sign-off indicating acceptance of the risk(s). In\n        all other instances developer access to production should be immediately removed.\n        (OIG Control # FS-09-18)\n\n\xe2\x80\xa2   Controls are not consistently applied to ensure that authentication parameters for\n    general support systems (e.g. Novell, Windows, SUN Solaris, Oracle, etc.) and\n    applications comply with the Information Assurance Handbook (IAH). PBGC\xe2\x80\x99s\n    decentralized approach to system development and configuration management has\n    made it particularly difficult to implement consistent technical controls across PBGC\xe2\x80\x99s\n    many systems, platforms, and applications.\n\n    Failure to follow secure build standards and reassign or remove unowned user files\n    provides internal and external attackers additional paths into PBGC\xe2\x80\x99s systems and could\n    result in an increased risk of unauthorized access, modification, or deletion of sensitive\n    system and participant information.\n\n\n\n                                            10\n\x0c    Recommendations:\n\n    o   Consistently apply controls to ensure that authentication parameters for PBGC\xe2\x80\x99s\n        general support systems (e.g. Novell, Windows, Sun Solaris, Oracle, etc.) and\n        applications comply with the IAH. (OIG Control # FS-07-11)\n\n    o   Implement a manual review process whereby OIT periodically reviews systems for\n        compliance with baseline settings. (OIG Control # FS-09-19)\n\n    PBGC\xe2\x80\x99s configuration management weaknesses have contributed significantly to its\n    inability to effectively implement controls to ensure the consistent removal and locking\n    out of generic or dormant accounts. The lack of controls to remove/disable inactive\n    accounts and dormant accounts exposes PBGC\xe2\x80\x99s systems to exploitation and\n    compromise.\n\n    Recommendation:\n\n    o   For the remaining systems, apply controls to remove/disable inactive and dormant\n        accounts after a specified period in accordance with the IAH. (OIG Control # FS-07-\n        12 *Modified)\n\n\xe2\x80\xa2   The OIT recertification process is incomplete and only addresses generic and service\n    accounts; it does not include all user and system accounts. In addition, the\n    Recertification of User Access Process, version 4.0, does not explicitly state that all\n    accounts (e.g. user, system, and service) across all platforms and applications will be re-\n    certified annually. PBGC\xe2\x80\x99s infrastructure design and configuration management\n    weaknesses have contributed significantly to its inability to effectively implement controls\n    to recertify all user and system accounts.\n\n    Unauthorized users could gain access to PBGC\xe2\x80\x99s data and personally identifiable\n    information (PII). Without periodic recertification of accounts (user, generic, service and\n    system) management does not have adequate assurance that only current authorized\n    users have access to PBGC resources.\n\n    Recommendation:\n\n    o   Complete the implementation of the recertification process for all user and system\n        accounts. Continue to perform annual recertification and include all PBGC\xe2\x80\x99s\n        accounts (e.g. user, generic, service, and systems accounts) for general support\n        systems and major applications. (OIG Control # FS-07-13)\n\n\xe2\x80\xa2   Vulnerabilities found in key databases and applications include weaknesses in\n    configuration, roles, privileges, auditing, file permissions, and operating system access.\n    These PBGC system vulnerabilities are caused by an ineffective deployment strategy in\n    the development, test, and production environments. Ineffective system deployments\n    have resulted in an environment that is in disarray.\n\n    Security control weaknesses and vulnerabilities in key databases remain unresolved.\n    These control weaknesses are scheduled to be corrected in 2013. These weaknesses\n\n\n\n                                            11\n\x0c    expose PBGC to increased risk of data modification or deletion. Unauthorized changes\n    could occur and not be detected.\n\n    Recommendations:\n\n    o   Implement controls to remedy vulnerabilities noted in key databases and applications\n        such as weaknesses in configuration, roles, privileges, auditing, file permissions, and\n        operating system access. (OIG Control # FS-07-14)\n\n    o   Implement controls to remedy weaknesses in the deployment of servers,\n        applications, and databases in the development, test, and production environments.\n        (OIG Control # FS-09-20)\n\n\xe2\x80\xa2   Access request authorizations were not appropriately documented. PBGC has not fully\n    implemented controls to ensure Enterprise Local Area Network Forms are properly\n    documented and maintained.\n\n    Failure to ensure proper authorization may expose PBGC\xe2\x80\x99s systems to inadequate\n    segregation of incompatible duties and unauthorized users having access to PBGC data\n    and PII.\n\n    Recommendation:\n\n    o   Ensure that adequate documentation of access authorization is maintained by\n        implementing proper monitoring and enforcement measures in compliance with\n        approved policies and procedures. (OIG Control # FS-07-15)\n\n\xe2\x80\xa2   PBGC lacks an effective process to track contractors throughout their employment at\n    PBGC, including appropriate notifications of start dates and separation. PBGC updated\n    its directive PM 05-1, PBGC Entrance on Duty and Separation Procedures for Federal\n    and Contract Employees, in FY 2011 to provide for the effective enforcement of controls\n    designed to track entrance and separation of all Federal and contract employees.\n    However, the implementation PM 05-1 has not reached a level of maturity to test and\n    validate the effectiveness of these controls. Without full implementation, security controls\n    are inadequate to prevent contractors from having unauthorized access to PBGC\xe2\x80\x99s\n    systems, applications, and facilities.\n\n    Recommendation:\n\n    o   Update and enforce directive PM 05-1, PBGC Entrance on Duty and Separation\n        Procedures for Federal and Contract Employees, to ensure contract personnel can\n        be tracked effectively. Also, ensure a formal Entrance on Duty and Separation\n        Clearance process is followed. (OIG Control # FS-07-16)\n\n\xe2\x80\xa2   Periodic logging and monitoring of security-related events for PBGC\xe2\x80\x99s applications were\n    inadequate for CFS, Premium Accounting System (PAS), Trust Accounting System\n    (TAS), Participant Records Information Systems Management (PRISM), and Integrated\n    Present Value of Future Benefits (IPVFB) systems. PBGC\xe2\x80\x99s IT infrastructure consists of\n    multiple legacy systems and applications (e.g. PAS, TAS, IPVFB, PRISM, etc.) that do\n    not have a coherent architecture for management and security.\n\n\n                                            12\n\x0c    Controls are not in place to ensure adequate consideration of the potential security\n    impacts due to specific changes to an information system or its surrounding\n    environment. PBGC is exposed to increased risk of data modification or deletion.\n    Unauthorized changes could occur, undetected.\n\n    Recommendation:\n\n    o   Implement a logging and monitoring process for application security-related events\n        and critical system modifications (e.g. CFS, PAS, TAS, PRISM, and IPVFB).\n        (OIG Control # FS-07-17)\n\n\xe2\x80\xa2   The application virtualization/application delivery product Citrix MetaFrame Presentation\n    Server used by PBGC\xe2\x80\x99s benefit payments service provider to connect to its benefit\n    payments system, PLUS, reached its end of life date on December 31, 2009. PBGC did\n    not include the Citrix MetaFrame Presentation Server in the system boundary when\n    conducting the A&A of the PLUS application. Although continuous monitoring was\n    implemented, no alerts were provided to PBGC about the application\n    virtualization/application becoming obsolete and the potential security risk to PLUS.\n    Obsolete software may expose PBGC\xe2\x80\x99s infrastructure to a security-related vulnerability.\n    PBGC is exposed to increased risk of data modification or deletion. Unauthorized\n    changes could occur undetected.\n\n\xe2\x80\xa2   Privileged TeamConnect group accounts use shared accounts to grant access to users.\n    The activity by these privileged users cannot be tracked and/or traced to an individual\n    user. Additionally, TeamConnect developers have access to both the development and\n    production system. Malicious changes could be made without detection.\n\n    Recommendations:\n\n    o   Replace the Citrix MetaFrame presentation server. (OIG Control #FS-10-04)\n\n    o   Include the application virtualization/application delivery product used by the benefit\n        payments service provider to access the PLUS application in the system boundary.\n        (OIG Control # FS-10-05)\n\n    o   Establish unique accounts for each user in TeamConnect. (OIG Control Number\n        FS-11-02)\n\n    o   Restrict developer\xe2\x80\x99s access to production. (OIG Control Number FS-11-03)\n\n    o   Implement a log review process that does not rely on the TeamConnect\xe2\x80\x99s developers\n        reviewing the logs. (OIG Control Number FS-11-04)\n\n    o   Implement compensating controls for log and review of changes made by powerful\n        shared accounts. (OIG Control Number FS-11-05)\n\n\n\n\n                                            13\n\x0c3. Benefits Administration and Payment Department Operations\n\n   BAPD had serious internal control weaknesses identified by OIG and others during FY 2011\n   that introduced additional risks to PBGC. Specific deficiencies included errors in valuation of\n   plan assets, lack of documentation supporting benefit payments, errors in benefit\n   calculations, and poor oversight of PLUS. In response to weaknesses identified by OIG,\n   BAPD is currently undergoing a strategic review that may address organizational structure\n   and operational issues. BAPD stated it will develop a plan in FY 2012 that will address the\n   deficiencies noted in the financial statement audit, IPERA mandated review, and other\n   internal reviews. This plan is intended to focus on fundamental issues such as internal\n   controls, processes, contractor oversight, and training and staff competencies.\n\n   Internal control weaknesses were pervasive throughout BAPD; however many of the\n   weaknesses identified as part of our financial statement audit stemmed from poor\n   management of contractors. Effective oversight requires good communications with\n   contractors on their responsibilities for contract compliance and providing timely information\n   to PBGC that may affect the controls and/or PBGC\xe2\x80\x99s environment. Contracted services are\n   an extension of PBGC\xe2\x80\x99s internal controls. PBGC\xe2\x80\x99s management does not always consider\n   the exposure and risk that contractors introduce into its environment and how to manage\n   that risk. PBGC does not properly review, assess, and monitor contractor\xe2\x80\x99s internal controls\n   related to contracted services.\n\n   During FY 2011 we noted deficiencies in BAPD\xe2\x80\x99s oversight of contracted reviews of asset\n   values at the date of plan termination (DoPT). These deficiencies were caused by a failure\n   to establish and apply a quality review process to verify and validate the satisfactory\n   completion of contracted DoPT plan asset valuation audits, and a failure to establish a\n   detailed process to ensure the consistent application of a methodology to determine the fair\n   market value of plan asset at DoPT as required by regulation. Specific deficiencies noted\n   include the following:\n\n   \xe2\x80\xa2   PBGC did not exercise due professional care in the conduct and oversight of contracted\n       audits of asset values at DoPT. PBGC accepted plan asset values based on audits with\n       audit procedures not performed or not properly documented. Audits were identified,\n       which were accepted, that that did not meet contractual requirements to conduct the\n       audit consistent with Generally Accepted Government Auditing Standards.\n\n   \xe2\x80\xa2   There were instances where no corroborating evidence existed that PBGC personnel\n       reviewed the contractors\xe2\x80\x99 work; however, plan asset values were approved and used in\n       the determination of plan benefit payments and the present value of future benefits.\n\n   \xe2\x80\xa2   PBGC has not developed a plan to ensure the proper oversight of future plan asset\n       valuations and to ensure the identification and correction of past errors.\n\n       Recommendations:\n\n       o   Implement procedures to verify that future contracts for plan asset valuations clearly\n           outline expectations and deliverables in the statement of work. (OIG Control\n           Number # FS-11-06)\n\n\n\n\n                                               14\n\x0c   o   Develop a quality assurance program aimed to ensure that plan asset valuations\n       meet the regulatory standard of determining fair market value based on the method\n       that most accurately reflects fair market value. (OIG Control Number # FS-11-07)\n\n   o   Enhance and formalize efforts to improve staff skills, whether Federal or contactor, in\n       planning the valuation reviews, understanding the risks, and developing appropriate\n       scopes and procedures to support credible and reliable results. (OIG Control\n       Number # FS-11-08)\n\n   o   Identify those plans that might potentially have a pervasive misstatement to the\n       financial statements if DOPT asset values were originally misstated. Management\n       should then re-evaluate the DOPT asset values for those identified plans and\n       consider the impact of any known differences on the financial statements. (OIG\n       Control Number # FS-11-09)\n\n   A strong control environment is imperative to provide reasonable assurance that funds\n   are not lost because of improper payments, whether fraudulent or erroneous. A critical\n   element of an effective control environment includes a process to accumulate and\n   archive documentation, including evidencing appropriate review and approval. Specific\n   deficiencies noted include the following:\n\n       During FY 2011 PBGC performed an IPERA mandated review which resulted in the\n       identification of numerous instances where benefit payments were not supported by\n       sufficient documentation necessary to verify the accuracy of the payment, and/or\n       lacked evidence of appropriate review and approval. A statistical extrapolation of the\n       sample results was performed and this statistical projection indicated a serious\n       condition exists.\n\n       In our testing of benefit calculations, we noted several instances where documents\n       relied upon in the calculations were not archived in the Image Processing System.\n\n   Lack of appropriate documentation results in limited physical and financial controls, and\n   could lead to improper benefit payments, as well as misunderstandings and conflicts\n   with participants regarding the amounts and timing of their benefit payments. Best\n   practice maintenance of source records should include a consolidation of all relevant\n   data in a common location.\n\n   Recommendations:\n\n   o   Modify the BAPD Operations Manual to explicitly incorporate policies and procedures\n       to archive source records. The BAPD Operations Manual details the process of\n       creating the participant database, but does not explicitly require the archival of\n       source records. (OIG Control Number # FS-11-10)\n\n   o   Ensure adequate documentation is maintained, which supports, substantiates, and\n       validates benefit payment calculations by implementing proper monitoring and\n       enforcement measures in compliance with approved policies and procedures. (OIG\n       Control # FS-11-11)\n\nWe noted deficiencies in BAPD\xe2\x80\x99s benefit determination process resulting in errors in\ncalculated benefits. Specific deficiencies noted include the following:\n\n                                           15\n\x0c\xe2\x80\xa2   Testing of benefit calculations revealed instances where benefit determinations were\n    incorrectly calculated due to errors in the application of plan provisions.\n\n    Recommendation:\n\n    o   Improve the training of persons tasked with the calculation and review of benefit\n        determinations to ensure their skills are matched with the complexities of the tasks\n        assigned. (OIG Control Number FS-11-12)\n\n\xe2\x80\xa2   An MOU between PBGC and the service provider for the PLUS application was\n    executed within PBGC between PBGC federal employees and not with the service\n    provider. This MOU is needed to document the service provider\xe2\x80\x99s responsibilities and\n    security requirements for PLUS, however, it serves no purpose since the service\n    provider did not sign it. Further, executing the MOU between federal employees and\n    omitting the service provider demonstrates a lack of understanding of the purpose and\n    importance of the agreement.\n\n    Recommendation:\n\n    o   Obtain a contract system representative signature on the PLUS MOU or\n        alternatively, develop an interconnection security agreement (ISA) between PBGC\n        and the benefit payments service provider for the connection. (OIG Control Number\n        FS-11-13)\n\n\xe2\x80\xa2   PBGC did not review the service provider personnel\xe2\x80\x99s access to the PLUS system to\n    ensure the personnel were appropriately recertified. PBGC relies upon the service\n    provider to test recertification and to assert that individuals have the proper access to the\n    system. PBGC performed no further review to test the service provider\xe2\x80\x99s assertion that\n    user access is appropriate. The risk to PBGC is increased as the service provider\xe2\x80\x99s\n    PLUS users typically have greater access to the PLUS system than users at PBGC.\n\n    Recommendation:\n\n    o   Annually review contractor access recertifications for the benefit payments service\n        provider employees with access to PLUS. (OIG Control Number FS-11-14)\n\n\xe2\x80\xa2   PBGC did not conduct a review of the PLUS System Contingency Plan until July 2011\n    when we requested the documentation as part of the financial statement audit. Even\n    after receipt of the document, PBGC did not evaluate the scope of the contingency plan\n    nor did PBGC assess the plan\xe2\x80\x99s compliance with NIST SP 800-34 requirements. Without\n    a full review of the PLUS System Contingency Plan, PBGC cannot assess the adequacy\n    of the plan and may not be able to recover from a disaster.\n\n    Recommendation:\n\n    o   Review the PLUS contingency plan for compliance with NIST SP 800-34\n        requirements. (OIG Control Number FS-11-15)\n\n\xe2\x80\xa2   Our assessment of the information PBGC provided as support for assessing the risk of\n    operating a SOC in a foreign country found that PBGC\xe2\x80\x99s risk assessment was not\n\n\n                                             16\n\x0c      adequate. Information relied upon included a generic overview of connectivity which did\n      not demonstrate specifics on encryption end points, protocol filters, source and\n      destination filters and intervening infrastructure component locations critical to the\n      analysis of any design investigations. Without detailed network documentation of the\n      SOC, SSC and PBGC and are unable to adequately assess the risks of the SOC\n      implementation. Further, PBGC did not address the verification of background checks for\n      the employees of the foreign country SOC and PBGC was unable to adequately assess\n      the risks of the SOC implementation. Without proper background checks, PBGC may\n      place trust in an individual who is a security risk. Without a proper assessment of the risk\n      of a SOC implementation, PBGC may not be able to monitor or implement adequate\n      security controls.\n\n      Recommendations:\n\n      o   Develop and implement a policy to identify and document the risks associated with\n          PBGC operations performed in foreign countries, ensure appropriate management\n          review, and take appropriate actions to mitigate identified risks. (OIG Control\n          Number # FS-11-16)\n\n      o   For the PLUS SOC operating in a foreign country revise the existing risk assessment\n          to identify and document risks, and take appropriate actions. (OIG Control Number\n          # FS-11-17)\n\n4. Integrated Financial Management Systems\n\n   The risk of inaccurate, inconsistent, and redundant data is increased because PBGC lacks a\n   single integrated financial management system. The current system cannot be readily\n   accessed and used by financial and program managers without extensive manipulation,\n   excessive manual processing, and inefficient balancing of reports to reconcile\n   disbursements, collections, and general ledger data.\n\n   OMB Circular A-127, Financial Management Systems, requires that Federal financial\n   management systems be designed to provide for effective and efficient interrelationships\n   between software, hardware, personnel, procedures, controls, and data contained within the\n   systems. The Circular states:\n\n      A financial system, hereafter referred to as a core financial system, is an information\n      system that may perform all financial functions including general ledger management,\n      funds management, payment management, receivable management, and cost\n      management. The core financial system is the system of record that maintains all\n      transactions resulting from financial events. It may be integrated through a common\n      database or interfaced electronically to meet defined data and processing requirements.\n      The core financial system is specifically used for collecting, processing, maintaining,\n      transmitting, and reporting data regarding financial events. Other uses include\n      supporting financial planning, budgeting activities, and preparing financial statements.\n      Any data transfers to the core financial system must be: traceable to the transaction\n      source; posted to the core financial system in accordance with applicable guidance from\n      the Federal Accounting Standards Advisory Board; and in the data format of the core\n      financial system.\n\n\n\n                                              17\n\x0cOMB\xe2\x80\x99s Office of Federal Financial Management (OFFM), Core Financial System\nRequirements, lists the following financial management system performance goals, outlined\nin the Framework document, applicable to all financial management systems. All financial\nmanagement systems must do the following:\n\n\xe2\x80\xa2   Demonstrate compliance with accounting standards and requirements.\n\n\xe2\x80\xa2   Provide timely, reliable, and complete financial management information for decision\n    making at all levels of government.\n\n\xe2\x80\xa2   Meet downstream information and reporting requirements with transaction processing\n    data linked to transaction engines.\n\n\xe2\x80\xa2   Accept standard information integration and electronic data to and from other internal,\n    governmentwide, or private-sector processing environments.\n\n\xe2\x80\xa2   Provide for \xe2\x80\x9cone-time\xe2\x80\x9d data entry and reuse of transaction data to support downstream\n    integration, interfacing, or business and reporting requirements.\n\n\xe2\x80\xa2   Build security, internal controls, and accountability into processes and provide an audit\n    trail.\n\n\xe2\x80\xa2   Be modular in design and built with reusability as an objective.\n\n\xe2\x80\xa2   Meet the needs for greater transparency and ready sharing of information.\n\n\xe2\x80\xa2   Scale to meet internal and external operational, reporting, and information requirements\n    for both small and large entities.\n\nBecause PBGC has not fully integrated its financial systems, PBGC\xe2\x80\x99s ability to accurately\nand efficiently accumulate and summarize information required for internal and external\nfinancial reporting is impacted. Many of the weaknesses included in this report were\nreported in prior years. The specific weaknesses we found that contributed to the material\nweakness and our recommendations to correct them are as follows:\n\nLack of standard data classifications and common data elements:\n\n\xe2\x80\xa2   PBGC continues to work towards a logical database model (Enterprise Data Model\n    (EDM). Elements of the EDM include the general ledger, purchases, portfolio\n    management, payroll, investment management, financial institutions, budgeting,\n    accounts receivable, and accounts payable. Until the development and implementation\n    of the EDM is complete, the current systems have no centralized data catalog defining\n    data elements or a common data access method available for current databases.\n\n\xe2\x80\xa2   The current decentralized database structure may lead to erroneous financial and\n    participant data. For example, the same data elements are required to be reformatted or\n    are used for different purposes across PBGC's various applications.\n\n\xe2\x80\xa2   The current decentralized database structure may lead to outdated financial or\n    participant data. Because participant data must be reformatted and distributed to\n\n                                            18\n\x0c    multiple PBGC systems, users may be relying on outdated information to make business\n    decisions.\n\nDuplication of transaction entry:\n\n\xe2\x80\xa2   Probable and multi-employer plan data initially entered into IPVFB must be manually\n    re-entered into a spreadsheet and then manually entered into CFS as adjusting journal\n    entries.\n\n\xe2\x80\xa2   Plan data initially entered into the Case Management System (CMS) application must be\n    re-entered into the TAS application's portfolio header.\n\n\xe2\x80\xa2   Plan contingency listings are determined using data extracted from PAS. However, plans\n    with multiple filings must be manually aggregated before the plans can be classified.\n\n\xe2\x80\xa2   Plan sponsor data address information must be manually entered into CFS to process\n    refunds.\n\nObsolete and antiquated technologies:\n\nPBGC\xe2\x80\x99s information systems employ obsolete and antiquated technologies that pose\nadditional risk to the availability of financially significant systems. These technologies are\nunsupported and add to the challenges to integrate PBGC\xe2\x80\x99s systems in an IT infrastructure\nthat lacks a cohesive architecture and design.\n\nA Federal agency\xe2\x80\x99s ability to effectively and efficiently maintain and modernize its existing IT\nenvironment depends primarily on how well it employs certain IT management controls that\nare embodied in statutory requirements, Federal guidance, and best practices. Among other\nthings, these controls include strategic planning and performance measurement, portfolio-\nbased investment management, human capital management, enterprise architecture (and\nsupporting segment architecture) development and use, and responsibility and\naccountability for modernization management.\n\nIf managed effectively, IT investments can have a dramatic impact on an organization\xe2\x80\x99s\nperformance and accountability. If not correctly managed, they can result in wasteful\nspending and lost opportunities for achieving mission goals and improving mission\nperformance. PBGC had several false starts in modernizing its systems and applications\nthat have either been abandoned, such as the suspension of work on the Premium and\nPractitioner System to replace PAS, or have been ineffective in leading to the integration of\nits financially significant systems. Unless PBGC develops and implements a well designed\nIT architecture and infrastructure to guide and constrain modernization projects, it risks\ninvesting time and resources in systems that do not reflect the Corporation\xe2\x80\x99s priorities, are\nnot well integrated, are potentially duplicative, and do not optimally support mission\noperations and performance.\n\nTo its credit, PBGC began to develop an overall strategy, but much work remains before the\nstrategy can be completed and implemented. Steps PBGC has taken include the following:\n\n\n\n\n                                            19\n\x0c   \xe2\x80\xa2   Continued work on its Enterprise Target Architecture (ETA), which provides the road\n       map for all PBGC system development and integration, including financial management\n       system integration.\n\n   \xe2\x80\xa2   Implemented interface enhancements for CFS, including the payroll interface\n       modernization, procurement interface, travel interface, and invoice automation. These\n       interfaces provide additional automated capabilities for CFS and reduce the amount of\n       manual data inputs for certain transactions.\n\n       However, major work remains to be completed to provide PBGC with integrated financial\n       management capabilities. PBGC plans to implement the Trust Accounting and FY File\n       System (TAS), which is currently in the design phase. TAS will replace existing financial\n       applications Portfolio Accounting and Management (PAM), FY File, TIS, and TIS\n       Transfer. Additionally, TAS will have automated interfaces with the CMS, CFS, and\n       Integrated Present Value of Future Benefits (IPVFB). TAS implementation is currently\n       planned for August 2012. Additionally, PBGC has identified future capabilities in its\n       financial management to-be architecture including a procurement system a and online\n       budgeting system.\n\n       Recommendation:\n\n       o   PBGC needs to develop and execute a plan to integrate its financial management\n           systems in accordance with OMB Circular A-127. (OIG Control # FS-07-18)\n\n                                   ***********************************\n\nThe internal control report recommendations status is presented in Exhibit I.\n\nThis report is intended for the information and use of the management and Inspector General of\nPBGC and is not intended to be and should not be used by anyone other than these specified\nparties.\n\n\nA1\nCalverton, Maryland\nNovember 14, 2011\n\n\n\n\n                                                20\n\x0c             EXHIBIT I - Status of Internal Control Report Recommendations\n\n\nPrior Year Internal Control Report Recommendation Closed During FY 2011:\n\nRecommendation                  Date Closed     Original Report Number\nFS-10-06                        11/2/2011       AUD-2011-3/FA-10-69-2\n\nPrior Year Internal Control Report Recommendation Moved to Management Letter\nDuring FY 2011:\n\nRecommendation                  Original Report Number\nFS-07-06                        2008-2/FA-0034-2\n\nOpen Recommendations as of September 30, 2011:\n\nRecommendation                  Report\nPrior Years'\n FS-07-04 *Modified             2008-2/FA-0034-2\n FS-07-07                       2008-2/FA-0034-2\n FS-07-08                       2008-2/FA-0034-2\n FS-07-09                       2008-2/FA-0034-2\n FS-07-10                       2008-2/FA-0034-2\n FS-07-11                       2008-2/FA-0034-2\n FS-07-12 *Modified             2008-2/FA-0034-2\n FS-07-13                       2008-2/FA-0034-2\n FS-07-14                       2008-2/FA-0034-2\n FS-07-15                       2008-2/FA-0034-2\n FS-07-17                       2008-2/FA-0034-2\n FS-07-16                       2008-2/FA-0034-2\n FS-07-18                       2008-2/FA-0034-2\n FS-08-01 *Modified             AUD-2009-2/FA-08-49-2\n FS-08-02 *Modified             AUD-2009-2/FA-08-49-2\n FS-08-03 *Modified             AUD-2009-2/FA-08-49-2\n FS-09-01                       AUD-2010-2/FA-09-64-2\n FS-09-02                       AUD-2010-2/FA-09-64-2\n FS-09-03                       AUD-2010-2/FA-09-64-2\n FS-09-04                       AUD-2010-2/FA-09-64-2\n FS-09-05 *Modified             AUD-2010-2/FA-09-64-2\n FS-09-06 *Modified             AUD-2010-2/FA-09-64-2\n FS-09-07                       AUD-2010-2/FA-09-64-2\n FS-09-08 **2                   AUD-2010-2/FA-09-64-2\n FS-09-09 **                    AUD-2010-2/FA-09-64-2\n FS-09-10 **                    AUD-2010-2/FA-09-64-2\n FS-09-11 **                    AUD-2010-2/FA-09-64-2\n FS-09-12                       AUD-2010-2/FA-09-64-2\n FS-09-13                       AUD-2010-2/FA-09-64-2\n FS-09-14                       AUD-2010-2/FA-09-64-2\n FS-09-15                       AUD-2010-2/FA-09-64-2\n\n\n\n\n                                          21\n\x0c               EXHIBIT I - Status of Internal Control Report Recommendations\n\n\nRecommendation                         Report\n FS-09-16                               AUD-2010-2/FA-09-64-2\n FS-09-17 *Modified                     AUD-2010-2/FA-09-64-2\n FS-09-18                               AUD-2010-2/FA-09-64-2\n FS-09-19                               AUD-2010-2/FA-09-64-2\n FS-09-20                               AUD-2010-2/FA-09-64-2\n FS-10-01                              AUD-2011-3/FA-10-69-2\n FS-10-02                              AUD-2011-3/FA-10-69-2\n FS-10-03 *Modified                     AUD-2011-3/FA-10-69-2\n FS-10-04                              AUD-2011-3/FA-10-69-2\n FS-10-05                              AUD-2011-3/FA-10-69-2\nFY Ended September 30, 2011\n FS-11-01                               AUD-2012-1/FA-11-82-1\n FS-11-02                               AUD-2012-1/FA-11-82-1\n FS-11-03                               AUD-2012-1/FA-11-82-1\n FS-11-04                               AUD-2012-1/FA-11-82-1\n FS-11-05                               AUD-2012-1/FA-11-82-1\n FS-11-06                               AUD-2012-1/FA-11-82-1\n FS-11-07                               AUD-2012-1/FA-11-82-1\n FS-11-08                               AUD-2012-1/FA-11-82-1\n FS-11-09                               AUD-2012-1/FA-11-82-1\n FS-11-10                               AUD-2012-1/FA-11-82-1\n FS-11-11                               AUD-2012-1/FA-11-82-1\n FS-11-12                               AUD-2012-1/FA-11-82-1\n FS-11-13                               AUD-2012-1/FA-11-82-1\n FS-11-14                               AUD-2012-1/FA-11-82-1\n FS-11-15                               AUD-2012-1/FA-11-82-1\n FS-11-16                               AUD-2012-1/FA-11-82-1\n FS-11-17                               AUD-2012-1/FA-11-82-1\n\n\n1\n  *Modified: indicates that the previously reported recommendation has been slightly modified to reflect\ncurrent conditions.\n2\n  **Recommendation remains open pending completion by management to acknowledge closure. This\nrecommendation was not included in the FY 2011 financial report.\n\n\n\n\n                                                    22\n\x0c   Report on Internal Controls Related to the\n    Pension Benefit Guaranty Corporation\xe2\x80\x99s\nFiscal Year 2011 and 2010 Financial Statements\n\n\n    Audit Report AUD-2012-2 / FA-11-82-2\n\n\n\n\n                 Section II\n\n        Management Comments\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0cIf you want to report or discuss confidentially any instance\n of misconduct, fraud, waste, abuse, or mismanagement,\n      please contact the Office of Inspector General.\n\n\n\n                       Telephone:\n            The Inspector General\xe2\x80\x99s HOTLINE\n                    1-800-303-9737\n\n  The deaf or hard of hearing, dial FRS (800) 877-8339\n   and give the Hotline number to the relay operator.\n\n\n\n                           Web:\n       http://oig.pbgc.gov/investigation/details.html\n\n\n\n                         Or Write:\n          Pension Benefit Guaranty Corporation\n               Office of Inspector General\n                     PO Box 34177\n             Washington, DC 20043-4177\n\x0c"